This is a security advisory regarding the unauthenticated local file disclosure vulnerability in inline image handling in ServiceDesk Plus MSP, which has been identified and rectified. This affects users of ServiceDesk Plus MSP (all editions) running version 10605 and below.
This issue was reported by our internal security team on our bug bounty portal.
This vulnerability allows adversaries to download local files from the server on which ServiceDesk Plus MSP is installed by sending an e-mail to the e-mail address configured in the application with a crafted image URL pointing to the specific file. If the file is present in that location, it gets added as an attachment in the ticket conversation when a technician responds to or when a notification is triggered for the ticket.
What led to the vulnerability?
The image's URL was not being processed properly when a technician responded to it or when a notification was triggered for the ticket.
Who is affected?
This vulnerability affects on-premises ServiceDesk Plus MSP customers of all editions using versions 10605 and below.
How have we fixed it?
We have added additional checks to process the inline image to avoid the local file disclosure vulnerability.
How to find out if you are affected
Click the Help link in the top-right corner of the ServiceDesk Plus MSP web client, and select About from the drop-down to see your current version. If your current version of ServiceDesk Plus MSP (all editions) is 10605 or below, your installation is vulnerable.
Please follow this forum post for any further updates regarding this vulnerability.
What you can do
ServiceDesk Plus MSP customers who fit the above criteria can upgrade to the latest version (10606) using the appropriate migration path.
Version or service pack with the fix
10500 to 10536
Important note: As always, make a copy of the entire ServiceDesk Plus MSP installation folder before applying the upgrade, and keep the copy in a separate location. If anything goes wrong during the upgrade, you will have this copy as a backup, which will keep all your settings intact. If you are using an Microsoft SQL Server as a backend database, back up the ServiceDesk Plus MSP database before upgrading. Once the upgrade is successfully completed, remember to delete the backup.
We offer our sincerest apologies for any inconvenience this may have caused. If you have any questions or concerns, please reach out to us at email@example.com.
ManageEngine ServiceDesk Plus MSP